Preface

Oracle Label Security enables access control to reach specific (labeled) rows of a database. With Oracle Label Security in place, users with varying privilege levels automatically have (or are excluded from) the right to see or alter labeled rows of data.

This Oracle Label Security Administrator's Guide describes how to use Oracle Label Security to protect sensitive data. It explains the basic concepts behind label-based security and provides examples to show how it is used.

Audience

The Oracle Label Security Administrator's Guide is intended for database administrators (DBAs), application programmers, security administrators, system operators, and other Oracle users who perform the following tasks:

Analyze application security requirements

Create label-based security policies

Administer label-based security policies

Use label-based security policies

To use this document, you need a working knowledge of SQL and Oracle fundamentals. You should also be familiar with Oracle security features described in "Related Documentation". To use SQL*Loader, you must know how to use the file management facilities of your operating system.

Documentation Accessibility

Our goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Standards will continue to evolve over time, and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For additional information, visit the Oracle Accessibility Program Web site at

http://www.oracle.com/accessibility/

Accessibility of Code Examples in Documentation

JAWS, a Windows screen reader, may not always correctly read the code examples in this document. The conventions for writing code require that closing braces should appear on an otherwise empty line; however, JAWS may not always read a line of text that consists solely of a bracket or brace.

Accessibility of Links to External Web Sites in Documentation

This documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites.

Organization

This chapter introduces Oracle Label Security in the larger context of data security. It gives an overview of computer security issues and data access controls, and outlines the architecture and major features of Oracle Label Security.

This chapter discusses the fundamental concepts of data labels and user authorizations, and introduces the terminology that will help you understand Oracle Label Security. It covers label components, label syntax and type, and explains how data labels and user authorizations work together.

This chapter presents the access controls and privileges that determine the type of access users can have to the rows affected. It introduces the concepts of session label and row label, and explains how rows are evaluated for access mediation.

This chapter explains the integration of Oracle Label Security features with those of Oracle Internet Directory. Enabling Oracle Label Security to take advantage of the central directory simplifies management of data labels, user labels and privileges, policies, and enterprise users across multiple databases and domains.

This chapter explains how you can set authorizations for users, and grant privileges to users or stored program units by means of the available Oracle Label Security packages, or Oracle Policy Manager.

This chapter explains how Oracle Label Security supplements the Oracle9i audit facility by tracking use of its own administrative operations and policy privileges. It describes the SA_AUDIT_ADMIN package, which enables you to set and change the policy auditing options.

The standard Oracle9i utilities can be used under Oracle Label Security, but certain restrictions apply, and extra steps may be required to get the expected results. This chapter describes these special considerations.

Many of the examples in the documentation set use the sample schemas of the seed database, which is installed by default when you install Oracle. Refer to Oracle Database Sample Schemas for information on how these schemas were created and how you can use them yourself.

In North America, printed documentation is available for sale in the Oracle Store at

Other customers can contact their Oracle representative to purchase printed documentation.

To download free release notes, installation documentation, white papers, or other collateral, please visit the Oracle Technology Network (OTN). You must register online before using OTN; registration is free and can be done at

Lowercase monospace typeface indicates executables, filenames, directory names, and sample user-supplied elements. Such elements include computer and database names, net service names, and connect identifiers, as well as user-supplied database objects and structures, column names, packages and classes, usernames and roles, program units, and parameter values.

Note: Some programmatic elements use a mixture of UPPERCASE and lowercase. Enter these elements as shown.

Enter sqlplus to open SQL*Plus.

The password is specified in the orapwd file.

Back up the datafiles and control files in the /disk1/oracle/dbs directory.

The department_id, department_name, and location_id columns are in the hr.departments table.

Set the QUERY_REWRITE_ENABLED initialization parameter to true.

Connect as oe user.

The JRepUtil class implements these methods.

lowercase italic monospace (fixed-width) font

Lowercase italic monospace font represents placeholders or variables.

You can specify the parallel_clause.

Run Uold_release.SQL where old_release refers to the release you installed prior to upgrading.

Conventions in Code Examples

Code examples illustrate SQL, PL/SQL, SQL*Plus, or other command-line statements. They are displayed in a monospace (fixed-width) font and separated from normal text as shown in this example:

SELECT username FROM dba_users WHERE username = 'MIGRATE';

The following table describes typographic conventions used in code examples and provides examples of their use.

Convention

Meaning

Example

[ ]

Brackets enclose one or more optional items. Do not enter the brackets.

DECIMAL (digits[ ,precision])

{ }

Braces enclose two or more items, one of which is required. Do not enter the braces.

{ENABLE | DISABLE}

|

A vertical bar represents a choice of two or more options within brackets or braces. Enter one of the options. Do not enter the vertical bar.

{ENABLE | DISABLE}

[COMPRESS | NOCOMPRESS]

...

Horizontal ellipsis points indicate either:

That we have omitted parts of the code that are not directly related to the example

That you can repeat a portion of the code

CREATE TABLE ... ASsubquery;

SELECTcol1,col2, ... ,colnFROM employees;

.

.

.

Vertical ellipsis points indicate that we have omitted several lines of code not directly related to the example.

Other notation

You must enter symbols other than brackets, braces, vertical bars, and ellipsis points as shown.

acctbal NUMBER(11,2);

acct CONSTANT NUMBER(4) := 3;

Italics

Italicized text indicates placeholders or variables for which you must supply particular values.

CONNECT SYSTEM/system_password

DB_NAME =database_name

UPPERCASE

Uppercase typeface indicates elements supplied by the system. We show these terms in uppercase in order to distinguish them from terms you define. Unless terms appear in brackets, enter them in the order and with the spelling shown. However, because these terms are not case sensitive, you can enter them in lowercase.